Downgrade event-stream to 3.3.4

> The NPM package flatmap-stream is considered malicious. A malicious
> actor added this package as a dependency to the NPM event-stream package
> in versions 3.3.6 and later. Users of event-stream are encouraged to
> downgrade to the last non-malicious version, 3.3.4.

See dominictarr/event-stream#116

Author: Duhemm

vscode-dotty/package-lock.json

@@ -114,7 +114,8 @@
     "vscode-jsonrpc": "4.0.0",
     "ws": "^6.0.0",
     "archiver": "^3.0.0",
-    "request": "^2.88.0"
+    "request": "^2.88.0",
+    "event-stream": "=3.3.4"
   },
   "devDependencies": {
     "@types/compare-versions": "^3.0.0",